directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans <>
Subject Re: HI
Date Mon, 09 Jul 2007 14:29:39 GMT

> hopefully, there is no way to get the password from its encrypted form
> : this would be a major security breach !

Well actually there is, but you need to do some guesswork ;-)

Don't know if the password hash in ApacheDS is salted, though.

The password hash should not be possible to extract or query by other  
than backup, not through a query.

If you are allowed to do a search like
$ ldapsearch -b o=some.root -s sub 'userPassword="{md5} 
b4b5835f03bd6748e0cc25790d6f3498"' dn
it would render you all objects with the attribute userPassword equal to
"the secret password", which may not be such a good idea.

iPlanet DS 4.x allowed searches on ueserPassword attribute with  
directory manager privs
I found out. Have not tested if this works with ApacheDS.


View raw message